Governance, Risk & Compliance

Image.jpg

It's not the things you are afraid of that will kill you” - Mark Twain.

I have fielded a number of calls this week from recruiters looking for someone to implement a GRC process for some company. Before I can ask about firm's board governance towards risk management and accountability, the questions turn to SQL, Java and, well you get the idea. If a firm does not set its overall risk tolerance, understand its risk profile and empower managers who take risk to manage the risk, software isn't going to improve anything.

Whether one calls it GRC, Governance, Risk and Compliance, ERM, Enterprise Risk Management, ERP, Enterprise Risk Planning, or OR, Operational Risk, understanding and managing the sources of risk created within an enterprise is a human endeavor requiring judgment. This first requires a strong tone from the top and board engagement. Management must be empowered and incentivized to continuously focus on direct and indirect sources of risk. They need to be able to articulate it to the board and proactively mitigate unproductive and unnecessary risk. Risk taken on to further value creation must be evaluated, balanced with other priorities and monitored. This requires motivation, expertise and persistence.

Risk Management systems are useful but limited to its internal algorithms and the the data it can analyze. Computers are great for alerting people to quantitative risk metrics but not so good at identifying or evaluating qualitative risk discussions. It is these unstructured risks that have the greatest likelihood of destroying an enterprise's value. Often events that have never happened before or last occurred before the collective memory of the programmers are the ones we really care about.

Quantitative Metrics are appropriate for managing many types of risk such as credit risk, market risk and weather. Unfortunately, rare events, the identification of bubbles, binary events, and any discussion that follows the words “assuming a normal distribution” can not be properly quantified. It's human nature to tend to ignore that which can not be neatly defined or measured.

Qualitative risk discussions and evaluations are at least an equal partner with quantitative tools. Quantitative methods work well with describable probability distributions such as stock prices, interest rates or hurricane prediction. Companies often embrace quantitative measurements of risk for a number of reasons.

First they can be seductively simple. Isn't it nice if management can be presented with one or a few numbers that will tell them how much risk they are taking on to produce the performance measurements listed in the same report?

Second, employing even state of the art quantitative tools can be handed off to a committee, subordinates or a contractor. Meaningful qualitative analysis requires extensive and continuing input from management and the board. Outside contractors sell comprehensive risk management tools that primarily collect and evaluate quantitative risks. If this is what they sell, the reasoning goes, this must be what we need.

Third, the government employs quantitative measurements almost exclusively. This is not because regulators don't understand holistic risk practices and the value of qualitative tools. Rather, compliance is a legal and administrative process. In order to enforce a rule on anyone, it must be written, consistent, testable and audit-able. Unstructured risk discussions and evaluations do not easily fit within the regulatory structure. I think the best efforts to mandate qualitative risk reporting are the requirements for form 10K which includes 3.1.2 Item 1A – Risk Factors and 3.1.8 Item 7 – Management's Discussion and Analysis. While very useful to investors, these reports can be vague, irrelevant or difficult to compare across organizations. There is simply too much leeway in their preparation and a lack of timely updates on what should be included going forward.

Governance, Risk and Compliance begins with Governance. It requires the right tone from the top, engaged (incentivized) management and a cultural shift to risk being understood as a necessary but controllable input to value creation. Without this one is left with being legally compliant but not risk intelligent.

Richard Ellis, PMP PRM

www.E-bRM.com

www.linkedin.com/in/richardellis86

www.richardellis86.blogspot.com

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead